Home

Share this Story

Google Begins Rolling Out Fix for WiFi Vulnerability

Google is now beginning to roll out a fix for the wifi vulnerability issue that took the internet world by storm yesterday. It has been stated that through an open WiFi connection, our Android devices were prone to having their personal information stolen. Luckily, the Google Team is on top of it and has just released this statement.

“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” a Google spokesperson said. “This fix requires no action from users and will roll out globally over the next few days.”

Time to put this one to bed. It’s impressive that Google can fix these issues OTA, while carriers have such troubles. But, this is something we’re grateful for! We’re hoping no one became a victim to this back door.

Via: PC Mag

Cheers Justin!

  • Anonymous

    tinyurl.com/2df4ccp

  • http://www.facebook.com/johncorfee John Corfee

     Simple fix, don’t use a wifi network that you don’t know!!

  • Anonymous

    tinyurl.com/2df4ccp

  • Guest

     WRONG.  The article DOES NOT say it’s a server side fix.

    The fix is in the Operating System.

  • Rain_king46

    Yet another example of why I wish all of our OS updates came directly through Google rather than through VZ, or the manufacturer. Google identifies a problem and within a couple of days is announcing an OTA fix. If this was a VZ issue or a manufacturer it would be “we are working on it” and weeks if not months later we might get a buggy “fix” if we are lucky. Good job Google! While you are at it, can you please send us Moto users a fix for this virus called Blur on our phones? :D

    • http://twitter.com/rgmills33 Robert Mills

      It’s not an OTA update…it’s a fix on the backend.  Not sure we are “lucky” since they fixed the issue in 2.3.4/3.0 and didn’t mention anything about there being an issue with ClientLogin.  Now, we are left with calendar and contacts secured, but any other on device app that uses ClientLogin is still vulnerable.  It’s a half-baked solution and there hasnt been any mention of them pushing out an OTA to older devices to fix the issue.  If an OTA is in the pipe, you’re right we won’t see it for a while thanks to the delays from OEMs and carriers.

      • Rain_king46

        “This fix requires no action from users and will roll out globally over the next few days.” Maybe I am missing something, but doesnt that kind of imply OTA?

        • http://twitter.com/rgmills33 Robert Mills

          Nope.  It doesn’t require an action from users.  I think saying “no action” would be poor phrasing for an OTA since OTAs require that users accept/install.  If it’s an OTA that doesn’t require action, that’d be a huge concern that Google can force updates to your device without you knowing, even though it’s in the best interest of the user to install it from a security POV.  It’d also raise some red flags about what Google can/cannot update in that manner and/or can it be exploited.

          • Guest

             They already can remove apps from your phone without user intervention, they can do the same with this fix.

          • http://twitter.com/rgmills33 Robert Mills

            Slightly different, we are talking about changing core OS libraries, not removing an isolated APK.   

      • tjhrulz

        I think he is just saying that he likes that google was quick to solve the issue, something verizon is famous for not bothering to do right away.

  • Anonymous

    What I find most compelling about this story is that there are people out there who are actually actively monitoring WiFi signals, hoping to hack into someone’s Droid and get their information.  

  • Mdn5024

    Thats what she said haha

  • http://twitter.com/SJFee SJFee

     My back door is a victim of the burrito I ate for lunch.  Phone is OK though.

  • Breturn6

     Nothing is worse then being a victim to the backdoor!

    • shiek2134

       Wow…that was tremendously hilarious.

  • Anonymous

    Maybe they should do like *pple and update our phone software the same way.  Not even let the the phone manufacturers get their grubby hands on it.  Then I realized, they probably get some sort of compensation from those manufacturers.

  • Rwcraftjr

    maybe i am naive, but how will they roll out an update to those of us with custom ROMs?

    • http://profiles.google.com/jeremy.sheehan Jeremy Sheehan

       The article says that it’s a server side fix and also very boldly (in bold type) states 

      “This fix requires no action from users and will roll out globally over the next few days.”

      • Rwcraftjr

        i didn’t read the pcmag article. 

        • http://profiles.google.com/jeremy.sheehan Jeremy Sheehan

          You probably didn’t read this article either.  That quote was taken from the very article you’re commenting on.  

          • Rwcraftjr

             apparently not. i need a larger screen….or glasses.

      • Guest

         WRONG.  The article DOES NOT say it’s a server side fix.

        The fix is in the Operating System.

        • http://twitter.com/rgmills33 Robert Mills

          No, it’s not.  If this was an OTA, they wouldn’t be limited to just fixing Google Calendar and Contacts.  Any application that uses ClientLogin would be fixed.  Instead, there is still an issue with Picasa, Facebook, Twitter, etc.

          http://blogs.computerworld.com/18304/scary_android_security_hole_in_99_of_phones_panic?ub#ub

          • Guest

             I still don’t see any info in there that’s from Google saying it’s a server side patch.

            Oh, and maybe you can figure out why Google would release a server side patch that ‘will roll out globally over the next few days’.  Server side patches are applied immediately and affect all clients connecting to the server.

            Also, if it could be fixed from the server, why would it be fixed in Android 2.3.4 and not older versions?  If they had the ability to fix it from the server all versions of Android would be fixed.

            Nice try though, but next time do some critical thinking first.

          • http://www.greatplainstech.com/ BWSchwartz

            Server side fix per this http://bit.ly/kuEn53. Otherwise how exactly do you figure Google would be able to patch every Android phone without going through the carriers? Not stating they can’t just asking…

          • Guest

             They are able to patch each android phone the same way google can uninstall apps without your intervention.

          • tjhrulz

            Exactly what I was thinking if they can install/uninstall an app why can’t they send an app that is hidden to every user that fixes the problem.

          • Maxxmentum

             Hi, so if you are rooted with ota shut off, I am assuming its off as I did not get repeated updates for the last patch, they will send a update via the marketplace? 

          • http://twitter.com/rgmills33 Robert Mills

            Just like any Google service where features are rolled out over time.  It’s not like these services are centralized. It takes time to roll these out to all users.  Plus, if there are unforeseen side effects, why have to patch all users instead of a limited subset?  Same concept for staggered OTA rollouts.

            Also, the fact that they are ONLY fixing Google related (Calendar and Contacts) services suggests that it is on their end.  Otherwise, other apps that use ClientLogin would be good to go.  So if it’s an OTA, then the Calendar and Contacts apk’s would be updated, what about those who have OEM custom builds of those apps?

  • http://twitter.com/rgmills33 Robert Mills

     The fix is being rolled out on their servers, not our devices.  That’s why only Google related services Contacts and Calendar are being fixed.  Twitter, Facebook, etc. seem to still be vulnerable.

  • Anonymous

    Aww I felt so special as a 1%er, especially on my og droid running on the cm7 nightlies. Well I guess I am still one of very few on 2.3.4.
    +1 for CM developers

  • http://profiles.google.com/isaacinsley Isaac Insley

     no action by user? wha?

    • http://profiles.google.com/chasehammer Chase Johnson

      its on their end not the phones. which isnt a fix at all….

  • Mellow19

    So do phones that have custom roms….will they also be updated or do we have to wait for the developer to update with a patch?

    • http://www.droid-life.com Tim-o-tato

      You’re most likely going to have to update yourself :) 
      Or be in compliance with your warranty and go back to STOCK! 

      Just kidding ;) 

    • http://twitter.com/protozeloz Abel

       its probably an update to the Google core apps with their death ray bam wam lazor so you may get it too 

    • http://twitter.com/protozeloz Abel

       its probably an update to the Google core apps with their death ray bam wam lazor so you may get it too 

  • http://www.facebook.com/people/Aaron-Rose/100000483772011 Aaron Rose

    I upgraded to Liquid Gingerbread 1.85 yesterday, which is running Android 2.3.4, which has it fixed… but thanks anyway Google!

  • Elix0r

    Could they go ahead and ya know.. fix this whole Thunderbolt thing while they’re at it? 

    • http://www.droid-life.com Tim-o-tato

      If only life was that easy :P